DHS Task Force Releases Guidelines for 190 Supply Chain Threats Affecting Government and ICT Companies

• The DHS Task Force was formed with an aim to provide advice to the federal government for assessing and managing risks associated with the ICT supply chain.
• The team is constituted of four different working groups from different sectors, subject matter experts and representatives from across the Federal government.

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has released a list of recommendations to fight against the growing arrays of threats in the government’s tech supply chain. As reported by Nextgov, the DHS’s special Task Force has identified approximately 190 threats across nine groups that include counterfeit parts and insider threats.

What is this Task Force?

The DHS Task Force was formed in 2018 with an aim to provide advice and recommendations to the federal government for assessing and managing risks associated with the ICT supply chain.

The team constituted of four different working groups from different sectors, subject matter experts and representatives from across the Federal government.

The four working groups are:

• Information Sharing: Involved in the development of a common framework for the bi-directional sharing of actionable supply chain risk information across the community.
• Threat Evaluation: Responsible for the identification of processes and criteria to better understand and evaluate threats to ICT supplies, products, and services.
• Qualified Bidder Lists and Qualified Manufacturer List (QBL/QML): Responsible for identification of market segments and evaluation criteria to establish Qualified Bidder and Qualified Manufacturer Lists that address consideration of vendors and product inclusion and exclusion.
• Policy recommendations: The group aims at stopping the growing problem of counterfeit ICT procurement.

The nine identified ‘Threat Groups’

During inventory development, these working groups identified nine significant threat groups which correspond to:

• Counterfeit parts
• Cybersecurity
• Internal Security Operations and Controls
• System Development Life Cycle (SDLC) Processes and Tools
• Insider threats
• Economic risks
• Inherited Risk (Extended supplier chain)
• Legal risks
• External end-to-end supply chain risks (natural disasters, geopolitical issues)

Apart from threats, the task force has also outlined some 40 scenarios related to the nine groups. This includes ransomware attacks, contractor compromise challenges, supplier ownership changes, and natural disasters.

These scenarios have been created based on several vulnerabilities such as business impacts, potential business mitigation strategies, and controls.

Future prospects

CISA has not released the complete inventory due to its sensitive nature. However, the officials have noted that it includes approximately 190 threats. Federal leaders and ICT companies can use the information to evaluate their security posture and model future threat scenarios.

Going forward, the Task Force intends to develop more actionable strategies that can be implemented by the government and private companies to evaluate supply chain risk from different vendors. Additionally, it plans to set up standardized methods for vendors to improve their supply chain risk management practices.